German Financial Regulator on Initial Coin Offerings

Norbert Gehrke
5 min readNov 17, 2017


This story is a translation of an article published in the German financial regulatory authority BaFin’s monthly journal.

BaFin Journal, November 2017

The purchase of coins — also referred to as tokens, depending on the design — in the context of so-called initial coin offers (ICOs) entails considerable risks for investors. These are highly speculative investments that are often not subject to capital market regulation. As with most trends, high public interest in ICOs also attracts scammers. This paper explains the legal background, discusses the risks of ICOs and provides important information for consumers.

Legal Basis

Since stock corporation law does not apply to ICOs, tokens do not require membership, information, control and voting rights. The provider can decide freely which rights or claims he grants to investors through the tokens. In most cases, providers describe their project and how the tokens work in a so-called whitepaper; occasionally they also publish terms and conditions. The contents of these documents, in contrast to the prospectuses of a share issue, are neither prescribed by law nor by a supervisory authority for completeness.

The implementation of an ICO does not require a specific form of business nor actual business operations. Even individuals who do not do business at all are technically able to offer tokens, as long as they have programming skills or assign them. The costs associated with such an issue are negligible compared to the cost of a share issue.

Risks for Consumers

The lack of legal requirements and transparency requirements for ICOs implies enormous risk for the investor. On the one hand, investors should be aware of the risks of loss — even an irreversible total loss of their investment is possible. Tokens are often subject to large price fluctuations. Some vendors are promising the tradability of their tokens on secondary market platforms. However, investors must be aware that they are not entitled to it and that the secondary market platform may not be regulated. The investor alone carries the risk that he cannot sell acquired tokens or only at a price that does not meet his expectations. He also carries the sole responsibility for the secure storage of the digital keys (private keys) in order to manage at all his tokens. The loss or theft of the private key equals a loss of all associated tokens.

Typically, ICO projects are at a very early, mostly experimental stage, so development and business model are unproven. At the same time, they are usually so complex that a deep technical understanding is necessary in order to comprehensively assess them.

On the other hand, ICO structures hold considerable potential for abuse and fraud. Only an expert can use the underlying programming code (such as the Smart Contract) to verify that the functionality of each token is specified in the white paper or terms of the agreement. The investor bears the risk that the provider makes false statements. The corresponding code can also contain programming errors and thus could be open to manipulation. The provider alone determines the content of the white paper so that the documentation is often objectively inadequate, incomprehensible or misleading. In addition, the provider of the whitepaper can change the contents at any time, both before and during the ICO. In many cases, there are no statutory consumer protection requirements and no investor protection instruments; the protection of personal data is not guaranteed. This also means a high level of legal uncertainty for the investor.

Consumers are generally at increased risk of fraud if the provider of the ICO is not clearly identifiable or if they invest in systems operated outside of Germany. In the event of a dispute, claims against token providers based abroad can be enforced — if at all — only with great effort and difficulty. In addition, as ICOs are potentially vulnerable to fraud or money laundering or could be used for such purposes, this also increases the risk that investors will lose their capital, including due to necessary action by the authorities against the operators or other persons involved in such illegal activities.

What Consumers Should Do

Before consumers decide to invest in ICOs, they should always check the identity, the seriousness and creditworthiness of the token provider. Since this is not subject to transparency regulations, they are on their own. In particular, investors should inform themselves about the domicile, legal form, date of incorporation, persons involved and capital resources of the provider, if the latter does not provide any information. If the provider claims to be subject to ICO-specific supervision by government authorities, investors should review this on the regulators’ websites. The registration of a foundation in Switzerland, for example, does not contain any information about the regulation of the ICO.

In any case, investors should ensure that they fully understand the benefits and risks of the project or investment. To do so, they should ask the issuer as many questions as necessary and verify its details using independent sources. They should also ensure that the characteristics of the project or investment meet their investment needs and risk appetite.

Role of BaFin

BaFin decides in individual cases on the basis of the concrete contractual structure of an ICO, whether the provider requires a license under the German Banking Act (KWG), the Capital Investment Code (KAGB), the Payment Services Supervision Act (ZAG) or the Insurance Supervision Act (VAG) and whether it has to comply with the requirements of the prospectus.

Tokens are usually financial instruments (units of account) within the meaning of the German Banking Act. Companies and persons who mediate the acquisition of tokens, commercially sell or sell tokens or operate secondary market platforms on which tokens are traded, in principle have a BaFin permit.

If BaFin receives indications of possible unauthorized transactions, it will investigate them and, if necessary, take administrative action. Independently of this the action is punishable without permission. The prosecution authorities are responsible for the prosecution of the crime. In this respect, there are also considerable risks for commercial providers of token sales and operator of switching platforms in Germany.



Norbert Gehrke

Passionate about strategy & innovation across Asia. At home in Japan. Connector of people & ideas.